instance method
attr_protected
Ruby on Rails 3.1.12
Since v3.0.20 Last seen in v3.2.22.5Signature
attr_protected(*args)
Attributes named in this macro are protected from mass-assignment whenever attributes are sanitized before assignment. A role for the attributes is optional, if no role is provided then :default is used. A role can be defined by using the :as option.
Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. Example:
class Customer
include ActiveModel::MassAssignmentSecurity
attr_accessor :name, :credit_rating
attr_protected :credit_rating, :last_login
attr_protected :last_login, :as => :admin
def assign_attributes(values, options = {})
sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
send("#{k}=", v)
end
end
end
When using the :default role :
customer = Customer.new
customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default)
customer.name # => "David"
customer.credit_rating # => nil
customer.last_login # => nil
customer.credit_rating = "Average"
customer.credit_rating # => "Average"
And using the :admin role :
customer = Customer.new
customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin)
customer.name # => "David"
customer.credit_rating # => "Excellent"
customer.last_login # => nil
To start from an all-closed default and enable attributes as needed, have a look at attr_accessible.
Note that using Hash#except or Hash#slice in place of attr_protected to sanitize attributes won’t provide sufficient protection.
Parameters
-
argsrest
Source
# File activemodel/lib/active_model/mass_assignment_security.rb, line 95
def attr_protected(*args)
options = args.extract_options!
role = options[:as] || :default
self._protected_attributes = protected_attributes_configs.dup
Array.wrap(role).each do |name|
self._protected_attributes[name] = self.protected_attributes(name) + args
end
self._active_authorizer = self._protected_attributes
end
Defined in activemodel/lib/active_model/mass_assignment_security.rb line 95
· View on GitHub
· Improve this page
· Find usages on GitHub
Defined in ActiveModel::MassAssignmentSecurity::ClassMethods